Releases retrieved: 6.0.11, 6.0.11, 8.1.1, 8.1.1 Upstream release that is considered latest: 8.1.1 Current version/release in rawhide: 8.1.0-5.fc39 URL: https://github.com/nodejs/llhttp Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/241543/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/llhttp
Existing F39 PR for this release: https://src.fedoraproject.org/rpms/llhttp/pull-request/12 Existing F38 PR for this release: https://src.fedoraproject.org/rpms/llhttp/pull-request/11 Actually doing the update in F39 and F38 should be possible now that aiohttp 3.8.5 has support for llhttp 8.1.1; see https://github.com/aio-libs/aiohttp/issues/7327, which is still open, but is nevertheless fixed according to the release notes, https://github.com/aio-libs/aiohttp/releases/tag/v3.8.5. A coordinated update in a side tag will be required. I expect to have something ready and validated in the next few days. I see that there is a security issue in play, https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w and https://github.com/advisories/GHSA-cggh-pq45-6h9x, AKA CVE-2023-30589. This can be fixed by a compatible update in F38 and F39. F37 and EPEL9 are also affected, but since they use llhttp 6.x, updating llhttp to a current version will break API and ABI and will require an exception to the Updates Policy. (I would rather not attempt to backport the fix.) Given the CVE and the limited impact (only python-aiohttp depends on llhttp), I judge it likely that such a request would be granted.
(In reply to Ben Beasley from comment #1) > F37 and EPEL9 are also affected, but since they use llhttp 6.x, updating > llhttp to a current version will break API and ABI and will require an > exception to the Updates Policy. (I would rather not attempt to backport the > fix.) Given the CVE and the limited impact (only python-aiohttp depends on > llhttp), I judge it likely that such a request would be granted. An alternative for these releases would be to convert python-aiohttp to a pure-Python package by building it with AIOHTTP_NO_EXTENSIONS=1, which is a documented mitigation, at the cost of performance.
I suppose bundling llhttp 8.1.1 with python-aiohttp in F37 and EPEL9 would also be possible, but that seems silly since the llhttp package currently exists only to support python-aiohttp.
FEDORA-2023-ad76deb86e has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ad76deb86e
FEDORA-2023-ad76deb86e has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-f75af676f2 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f75af676f2
FEDORA-2023-f75af676f2 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f75af676f2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f75af676f2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-f75af676f2 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-105880e618 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-105880e618
FEDORA-2023-105880e618 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-105880e618` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-105880e618 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-105880e618 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2023-e2fcc4af81 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81
FEDORA-EPEL-2023-e2fcc4af81 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-e2fcc4af81 has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.